Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (220889 => 220890)
--- trunk/Source/_javascript_Core/ChangeLog 2017-08-17 23:32:18 UTC (rev 220889)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-08-18 00:19:39 UTC (rev 220890)
@@ -1,3 +1,24 @@
+2017-08-17 Robin Morisset <[email protected]>
+
+ Teach DFGFixupPhase.cpp that the current scope is always a cell
+ https://bugs.webkit.org/show_bug.cgi?id=175610
+
+ Reviewed by Keith Miller.
+
+ Also teach it that the argument to with can usually be speculated to be an object,
+ since toObject() is called on it.
+
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compilePushWithScope):
+ * dfg/DFGSpeculativeJIT.h:
+ (JSC::DFG::SpeculativeJIT::callOperation):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope):
+ * jit/JITOperations.cpp:
+ * jit/JITOperations.h:
+
2017-08-17 Matt Baker <[email protected]>
Web Inspector: remove unused private struct from InspectorScriptProfilerAgent
Modified: trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp (220889 => 220890)
--- trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp 2017-08-17 23:32:18 UTC (rev 220889)
+++ trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp 2017-08-18 00:19:39 UTC (rev 220890)
@@ -1710,14 +1710,24 @@
case CreateScopedArguments:
case CreateActivation:
- case PushWithScope:
case NewFunction:
case NewGeneratorFunction:
case NewAsyncFunction: {
- fixEdge<CellUse>(node->child1());
+ // Child 1 is always the current scope, which is guaranteed to be an object
+ // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
+ fixEdge<KnownCellUse>(node->child1());
break;
}
+ case PushWithScope: {
+ // Child 1 is always the current scope, which is guaranteed to be an object
+ // FIXME: should be KnownObjectUse once that exists (https://bugs.webkit.org/show_bug.cgi?id=175689)
+ fixEdge<KnownCellUse>(node->child1());
+ if (node->child2()->shouldSpeculateObject())
+ fixEdge<ObjectUse>(node->child2());
+ break;
+ }
+
case SetFunctionName: {
// The first child is guaranteed to be a cell because op_set_function_name is only used
// on a newly instantiated function object (the first child).
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (220889 => 220890)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2017-08-17 23:32:18 UTC (rev 220889)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2017-08-18 00:19:39 UTC (rev 220890)
@@ -1129,16 +1129,28 @@
SpeculateCellOperand currentScope(this, node->child1());
GPRReg currentScopeGPR = currentScope.gpr();
- JSValueOperand object(this, node->child2());
- JSValueRegs objectRegs = object.jsValueRegs();
-
GPRFlushedCallResult result(this);
GPRReg resultGPR = result.gpr();
+
+ auto objectEdge = node->child2();
+ if (objectEdge.useKind() == ObjectUse) {
+ SpeculateCellOperand object(this, objectEdge);
+ GPRReg objectGPR = object.gpr();
+ speculateObject(objectEdge, objectGPR);
+
+ flushRegisters();
+ callOperation(operationPushWithScopeObject, resultGPR, currentScopeGPR, objectGPR);
+ // No exception check here as we did not have to call toObject().
+ } else {
+ ASSERT(objectEdge.useKind() == UntypedUse);
+ JSValueOperand object(this, objectEdge);
+ JSValueRegs objectRegs = object.jsValueRegs();
+
+ flushRegisters();
+ callOperation(operationPushWithScope, resultGPR, currentScopeGPR, objectRegs);
+ m_jit.exceptionCheck();
+ }
- flushRegisters();
- callOperation(operationPushWithScope, resultGPR, currentScopeGPR, objectRegs);
- m_jit.exceptionCheck();
-
cellResult(resultGPR, node);
}
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h (220889 => 220890)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h 2017-08-17 23:32:18 UTC (rev 220889)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h 2017-08-18 00:19:39 UTC (rev 220890)
@@ -1396,6 +1396,11 @@
m_jit.setupArgumentsWithExecState(arg1, arg2.gpr());
return appendCallSetResult(operation, result);
}
+ JITCompiler::Call callOperation(C_JITOperation_ECO operation, GPRReg result, GPRReg arg1, GPRReg arg2)
+ {
+ m_jit.setupArgumentsWithExecState(arg1, arg2);
+ return appendCallSetResult(operation, result);
+ }
JITCompiler::Call callOperation(J_JITOperation_EJMic operation, JSValueRegs result, JSValueRegs arg, TrustedImmPtr mathIC)
{
m_jit.setupArgumentsWithExecState(arg.gpr(), mathIC);
@@ -1950,6 +1955,11 @@
m_jit.setupArgumentsWithExecState(arg1, arg2.payloadGPR(), arg2.tagGPR());
return appendCallSetResult(operation, result);
}
+ JITCompiler::Call callOperation(C_JITOperation_ECO operation, GPRReg result, GPRReg arg1, GPRReg arg2)
+ {
+ m_jit.setupArgumentsWithExecState(arg1, arg2);
+ return appendCallSetResult(operation, result);
+ }
JITCompiler::Call callOperation(J_JITOperation_EJMic operation, JSValueRegs result, JSValueRegs arg, TrustedImmPtr mathIC)
{
m_jit.setupArgumentsWithExecState(EABI_32BIT_DUMMY_ARG arg.payloadGPR(), arg.tagGPR(), mathIC);
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (220889 => 220890)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2017-08-17 23:32:18 UTC (rev 220889)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2017-08-18 00:19:39 UTC (rev 220890)
@@ -4269,11 +4269,17 @@
void compilePushWithScope()
{
LValue parentScope = lowCell(m_node->child1());
- LValue object = lowJSValue(m_node->child2());
-
- LValue result = vmCall(Int64, m_out.operation(operationPushWithScope), m_callFrame, parentScope, object);
-
- setJSValue(result);
+ auto objectEdge = m_node->child2();
+ if (objectEdge.useKind() == ObjectUse) {
+ LValue object = lowNonNullObject(objectEdge);
+ LValue result = vmCall(Int64, m_out.operation(operationPushWithScopeObject), m_callFrame, parentScope, object);
+ setJSValue(result);
+ } else {
+ ASSERT(objectEdge.useKind() == UntypedUse);
+ LValue object = lowJSValue(m_node->child2());
+ LValue result = vmCall(Int64, m_out.operation(operationPushWithScope), m_callFrame, parentScope, object);
+ setJSValue(result);
+ }
}
void compileCreateActivation()
Modified: trunk/Source/_javascript_Core/jit/JITOperations.cpp (220889 => 220890)
--- trunk/Source/_javascript_Core/jit/JITOperations.cpp 2017-08-17 23:32:18 UTC (rev 220889)
+++ trunk/Source/_javascript_Core/jit/JITOperations.cpp 2017-08-18 00:19:39 UTC (rev 220890)
@@ -2010,6 +2010,14 @@
return JSWithScope::create(vm, exec->lexicalGlobalObject(), currentScope, object);
}
+JSCell* JIT_OPERATION operationPushWithScopeObject(ExecState* exec, JSCell* currentScopeCell, JSObject* object)
+{
+ VM& vm = exec->vm();
+ NativeCallFrameTracer tracer(&vm, exec);
+ JSScope* currentScope = jsCast<JSScope*>(currentScopeCell);
+ return JSWithScope::create(vm, exec->lexicalGlobalObject(), currentScope, object);
+}
+
EncodedJSValue JIT_OPERATION operationInstanceOf(ExecState* exec, EncodedJSValue encodedValue, EncodedJSValue encodedProto)
{
VM& vm = exec->vm();
Modified: trunk/Source/_javascript_Core/jit/JITOperations.h (220889 => 220890)
--- trunk/Source/_javascript_Core/jit/JITOperations.h 2017-08-17 23:32:18 UTC (rev 220889)
+++ trunk/Source/_javascript_Core/jit/JITOperations.h 2017-08-18 00:19:39 UTC (rev 220890)
@@ -213,6 +213,7 @@
typedef JSCell* (JIT_OPERATION *C_JITOperation_EJscI)(ExecState*, JSScope*, UniquedStringImpl*);
typedef JSCell* (JIT_OPERATION *C_JITOperation_ECJZ)(ExecState*, JSCell*, EncodedJSValue, int32_t);
typedef JSCell* (JIT_OPERATION *C_JITOperation_ECJ)(ExecState*, JSCell*, EncodedJSValue);
+typedef JSCell* (JIT_OPERATION *C_JITOperation_ECO)(ExecState*, JSCell*, JSObject*);
typedef double (JIT_OPERATION *D_JITOperation_D)(double);
typedef double (JIT_OPERATION *D_JITOperation_G)(JSGlobalObject*);
typedef double (JIT_OPERATION *D_JITOperation_DD)(double, double);
@@ -420,6 +421,7 @@
EncodedJSValue JIT_OPERATION operationDeleteByValJSResult(ExecState*, EncodedJSValue base, EncodedJSValue target) WTF_INTERNAL;
size_t JIT_OPERATION operationDeleteByVal(ExecState*, EncodedJSValue base, EncodedJSValue target) WTF_INTERNAL;
JSCell* JIT_OPERATION operationPushWithScope(ExecState*, JSCell* currentScopeCell, EncodedJSValue object) WTF_INTERNAL;
+JSCell* JIT_OPERATION operationPushWithScopeObject(ExecState* exec, JSCell* currentScopeCell, JSObject* object) WTF_INTERNAL;
JSCell* JIT_OPERATION operationGetPNames(ExecState*, JSObject*) WTF_INTERNAL;
EncodedJSValue JIT_OPERATION operationInstanceOf(ExecState*, EncodedJSValue, EncodedJSValue proto) WTF_INTERNAL;
int32_t JIT_OPERATION operationSizeFrameForForwardArguments(ExecState*, EncodedJSValue arguments, int32_t numUsedStackSlots, int32_t firstVarArgOffset) WTF_INTERNAL;
